Snap for 10460766 from 1c6058cc0da2c2f03d7114ec9e7417b30bc97811 to mainline-healthfitness-releaseaml_hef_341613000aml_hef_341512030aml_hef_341415040aml_hef_341311010aml_hef_341114030android14-mainline-healthfitness-release

Change-Id: I173668468e0de5e2e1c308911c44c19d55620e67

4 files changed, 36 insertions, 58 deletions

diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
index 8db62e6b..ab7d17c9 100644
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -195,7 +195,11 @@ void selfTestGetCsrV1(std::string_view componentName, IRemotelyProvisionedCompon
                                              protectedData, *eekChain, eekId,
                                              hwInfo.supportedEekCurve, irpc, challenge);
 
-    std::cout << "Self test successful." << std::endl;
+    if (!result) {
+        std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
+                  << "'. Error message: '" << result.message() << "'." << std::endl;
+        exit(-1);
+    }
 }
 
 CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
@@ -220,22 +224,7 @@ CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
 }
 
 CborResult<cppbor::Array> getCsrV3(std::string_view componentName,
-                                   IRemotelyProvisionedComponent* irpc) {
-    std::vector<uint8_t> csr;
-    std::vector<MacedPublicKey> emptyKeys;
-    const std::vector<uint8_t> challenge = generateChallenge();
-
-    auto status = irpc->generateCertificateRequestV2(emptyKeys, challenge, &csr);
-    if (!status.isOk()) {
-        std::cerr << "Bundle extraction failed for '" << componentName
-                  << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
-        exit(-1);
-    }
-
-    return composeCertificateRequestV3(csr);
-}
-
-void selfTestGetCsrV3(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
+                                   IRemotelyProvisionedComponent* irpc, bool selfTest) {
     std::vector<uint8_t> csr;
     std::vector<MacedPublicKey> emptyKeys;
     const std::vector<uint8_t> challenge = generateChallenge();
@@ -247,17 +236,20 @@ void selfTestGetCsrV3(std::string_view componentName, IRemotelyProvisionedCompon
         exit(-1);
     }
 
-    auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge);
-    if (!result) {
-        std::cerr << "Self test failed for '" << componentName
-                  << "'. Error message: " << result.message() << "." << std::endl;
-        exit(-1);
+    if (selfTest) {
+        auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge);
+        if (!result) {
+            std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
+                      << "'. Error message: '" << result.message() << "'." << std::endl;
+            exit(-1);
+        }
     }
 
-    std::cout << "Self test successful." << std::endl;
+    return composeCertificateRequestV3(csr);
 }
 
-CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
+CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc,
+                         bool selfTest) {
     RpcHardwareInfo hwInfo;
     auto status = irpc->getHardwareInfo(&hwInfo);
     if (!status.isOk()) {
@@ -267,24 +259,11 @@ CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedCom
     }
 
     if (hwInfo.versionNumber < kVersionWithoutSuperencryption) {
+        if (selfTest) {
+            selfTestGetCsrV1(componentName, irpc);
+        }
         return getCsrV1(componentName, irpc);
     } else {
-        return getCsrV3(componentName, irpc);
-    }
-}
-
-void selfTestGetCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
-    RpcHardwareInfo hwInfo;
-    auto status = irpc->getHardwareInfo(&hwInfo);
-    if (!status.isOk()) {
-        std::cerr << "Failed to get hardware info for '" << componentName
-                  << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
-        exit(-1);
-    }
-
-    if (hwInfo.versionNumber < kVersionWithoutSuperencryption) {
-        selfTestGetCsrV1(componentName, irpc);
-    } else {
-        selfTestGetCsrV3(componentName, irpc);
+        return getCsrV3(componentName, irpc, selfTest);
     }
 }
diff --git a/provisioner/rkp_factory_extraction_lib.h b/provisioner/rkp_factory_extraction_lib.h
index a2183380..ae8ea6b6 100644
--- a/provisioner/rkp_factory_extraction_lib.h
+++ b/provisioner/rkp_factory_extraction_lib.h
@@ -46,7 +46,8 @@ std::vector<uint8_t> generateChallenge();
 // what went wrong.
 CborResult<cppbor::Array>
 getCsr(std::string_view componentName,
-       aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc);
+       aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc,
+       bool selfTest);
 
 // Generates a test certificate chain and validates it, exiting the process on error.
 void selfTestGetCsr(
diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
index 72d7b716..3fe88da8 100644
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -180,7 +180,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV2Hal) {
                         SetArgPointee<6>(kFakeMac),             //
                         Return(ByMove(ScopedAStatus::ok()))));  //
 
-    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
+    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
+                                   /*selfTest=*/false);
     ASSERT_THAT(csr, NotNull()) << csrErrMsg;
     ASSERT_THAT(csr->asArray(), Pointee(Property(&Array::size, Eq(4))));
 
@@ -249,7 +250,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV3Hal) {
         .WillOnce(DoAll(SaveArg<1>(&challenge), SetArgPointee<2>(kCsr),
                         Return(ByMove(ScopedAStatus::ok()))));
 
-    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
+    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
+                                   /*selfTest=*/false);
     ASSERT_THAT(csr, NotNull()) << csrErrMsg;
     ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5))));
 
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 2aeabe0a..5ba777e8 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -35,10 +35,10 @@ using namespace cppbor;
 using namespace cppcose;
 
 DEFINE_string(output_format, "build+csr", "How to format the output. Defaults to 'build+csr'.");
-DEFINE_bool(self_test, false,
-            "If true, the tool does not output CSR data, but instead performs a self-test, "
-            "validating a test payload for correctness. This may be used to verify a device on the "
-            "factory line before attempting to upload the output to the device info service.");
+DEFINE_bool(self_test, true,
+            "If true, this tool performs a self-test, validating the payload for correctness. "
+            "This checks that the device on the factory line is producing valid output "
+            "before attempting to upload the output to the device info service.");
 
 namespace {
 
@@ -81,17 +81,13 @@ void getCsrForInstance(const char* name, void* /*context*/) {
         exit(-1);
     }
 
-    if (FLAGS_self_test) {
-        selfTestGetCsr(name, rkp_service.get());
-    } else {
-        auto [request, errMsg] = getCsr(name, rkp_service.get());
-        if (!request) {
-            std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
-            exit(-1);
-        }
-
-        writeOutput(std::string(name), *request);
+    auto [request, errMsg] = getCsr(name, rkp_service.get(), FLAGS_self_test);
+    if (!request) {
+        std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
+        exit(-1);
     }
+
+    writeOutput(std::string(name), *request);
 }
 
 }  // namespace